Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Win___ Program Is Dissabling Ctrl+alt+delete


  • This topic is locked This topic is locked
21 replies to this topic

#1 AeStuDd

AeStuDd

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 28 October 2006 - 02:38 PM

Every morning before i use this computer i have to run Adaware, and it finds the same thing over and over, heres the log after adaware deleted it
Logfile of HijackThis v1.99.1
Scan saved at 3:35:04 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Das\LOCALS~1\Temp\Rar$EX00.562\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [461ef1a.exe] C:\WINDOWS\system32\461ef1a.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dmcth.exe] C:\WINDOWS\system32\dmcth.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A8B03C3-8953-47D9-A6DD-7B393E4817CB}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEBC7AB-A7FD-4173-84E1-6B4FCF607802}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8BA57AA-7F78-4910-A1CC-1CE392D332BD}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:43 AM

Posted 30 October 2006 - 06:22 PM

Hi AeStuDd,

Welcome to Bleeping Computer. :thumbsup:

I will be helping you, under the supervision of one of our expert coaches.

Please give me a little time to analyze your log and get back to you with instructions.

Thanks for your patience--

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:43 AM

Posted 31 October 2006 - 07:45 AM

Hi again AeStuDd,

You have some pretty nasty malware here. :thumbsup:

One of the worst is a backdoor worm. This program is capable of stealing passwords and other private information and transmitting them to hackers. For this reason, I urge you to take the following steps:

First, except when downloading files required for this fix, please keep your computer physically disconnected from the internet or any network.

Second, from a clean computer, immediately change all your passwords -- e-mail, bank access, and others. Also notify your financial institutions that your online security has been compromised, and monitor your accounts for any unauthorized activity.

One more thing I need to mention. I would be willing to bet that your computer was infected by one or more files that you downloaded using BitComet, knowingly or unknowingly. These type of peer-to-peer programs are dangerous because you never know where your downloads are coming from. One of the truisms of computer security is that you should only download files from sources that you know and trust. BitComet by its very nature violates this principle. This is not to say that the program itself is infected, it is not. But using it networks you to many other computers that may be infected. Before you decide to continue using it, consider whether the speed is worth the risk.


Before we begin the fix, you are running HijackThis from a temporary folder. This may cause problems with backups. Please install a copy in its own folder, as follows:First, delete the HijackThis .zip file currently on your computer.

Then, download the self-extracting installation file here. Save it to your desktop.

Next, double-click the HijackThis_SFX.exe file icon. A window will open. Accept the default installation folder by clicking Unzip on the right side of the window.

Navigate to the program by clicking My Computer, C:, then double clicking Program Files. Find the HijackThis folder and double-click it to open.

If you would like to make a shortcut for your Desktop so it's more easily accessible, right click the HijackThis icon (it looks like a detonator with some dynamite sticks) and choose Send To > Desktop (create shortcut) .
Having taken care of that, we can start cleaning your computer. Please print out the following instructions or save them in a Notepad file, as some steps will be done in safe mode, with no internet access.



Step 1. Unhide files and folders

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Step 2. Download and install AVG AntispywareOpen your browser and go to This page. Read the information regarding the paid and free versions of the program, then at the bottom of the page click the orange box labeled Download Now. Save the AVG-AS setup file to your desktop. Close your browser.

Double click the AVGAS setup icon. Unless you need to change the language first, click OK, then Next.

On the License agreement screen click I Agree. Then accept the default installation folder by clicking Next.

Finally, click Install. The program will then copy files and register itself; when it tells you it is installed, click Finish.

AVG-AS 7.5 will open. On the Status screen you will see a line Last Update ! Never. On that line click Update Now.

After the program updates, you may want to change the Auto Updates options. The default is to check for updates every 60 minutes, which you may feel is excessive. Note that after the 30 day trial period, Auto Updates is disabled unless you pay for the program.

Now click the Scanner icon at the top of the window. Click the Settings tab. When that screen opens select the radio button Automatically produce a report after every scan. Uncheck the box Only if threats were found.

On the same screen, under "How to Act", click on Recommended Actions. Select Quarantine.

Leave the other settings on that screen at their defaults.

Close the program. This will save the settings changes. Do not run a scan yet.
Step 3. Submit file

I need you to submit a file for analysis. Go to this page:

Virustotal

Go to the select file line at the top and click Browse. This will open a File Upload window, which works just like the File Save window I am sure you are familiar with. Navigate to the file C:\WINDOWS\system32\dmcth.exe and click to select it, then click Open. You will then see the filename in the space next to the Browse button. Click Send. Your file will be put in a queue to be scanned with a battery of programs. When the scan is finished, you will be presented with a report. To save the report, highlight the relevant block of text on the web page, then press <Ctrl> - C. Open Notepad and press <Ctrl> - V. Save the file to your desktop as Virustotal.txt or some other name you will recognize.


Step 4. Download and run Fixwareout

Next step is to deal with is your Wareout infection.

Download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop.

Now, Run Fixwareout:
  • First, make sure you are connected to the internet. Fixwareout requires the connection in order to download a program it uses (Brute Force Uninstaller).
  • Double click the program icon on your desktop. A window will open with a Welcome message. Click Next.
  • On the next screen, click Install.
  • After installation, another screen will open. Make sure "Run fixit" is checked and click Finish.
  • A black command line screen will open telling you what FixWareout is about to do, and asking you to press any key. Do so.
  • If nothing happens, move your mouse pointer over a blank area in the black window and click on it. Then press a key.
  • Another message will pop up saying the script is registered to run on reboot.
  • A BFU window will pop up asking you to allow the system to reboot your computer. Click OK.
  • Another window will pop up saying you must reboot your computer. Click Yes.
  • The reboot will go normally until you log on (if your system is set for this).
  • Once the desktop wallpaper appears, a BFU window will pop up saying the fix is beginning. Click OK. There will be a delay while the script runs.
  • During the delay, you may see one or more popup windows asking for patience. Each time, click OK to continue.
  • Eventually you will get a window saying the script is finished, with instructions to post the report that will appear. Click OK.
  • Finally, your desktop icons will load and the report will appear. Save it to your desktop.
Step 4. HijackThis fix

Open your new copy of HijackThis and run a scan. Once the scan is finished, place a check next to the following lines, if present (some should have been removed by FixWareout):F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [461ef1a.exe] C:\WINDOWS\system32\461ef1a.exe
O4 - HKLM\..\Run: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [dmcth.exe] C:\WINDOWS\system32\dmcth.exe
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A8B03C3-8953-47D9-A6DD-7B393E4817CB}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{9BEBC7AB-A7FD-4173-84E1-6B4FCF607802}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8BA57AA-7F78-4910-A1CC-1CE392D332BD}: NameServer = 85.255.113.91,85.255.112.9
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.91 85.255.112.9

Step 5. Boot into Safe Mode

If you don't know how to do this, here are two ways:

F8 Method
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Bootsafe utility

If the F8 method does not work, you can download this program: Bootsafe.exe. Download the .exe file (not the zip file) directly to your desktop, it requires no installation. To use it, double click the program icon, then select the radio button Safe Mode - Minimal and click on the Reboot button.


Step 6. Delete Files

Use Windows Explorer (Start/My Computer) to navigate to and delete the following, if present:C:\WINDOWS\system32\scvhost.exe <== Note the spelling. Be sure not to delete the legitimate Windows file svchost.exe which is vital to proper system function.
C:\WINDOWS\system32\461ef1a.exe
C:\WINDOWS\system32\dmcth.exe

Step 7. Scan with AVG AntiSpyware:Double click the AVG-AS 7.5 icon on your desktop to start the program.

Click the Scan tab. When the screen opens, select Complete System Scan. This action will take some time.

When the scan is finished, scroll through the list. Except for cookies, which should be set to Delete, every item should be set to Quarantine. If this is not the case, change it.

Now click Apply All Actions. Then click Save Report. On the screen that opens, click Save Report As, and in the Report save as... window navigate to and select your Desktop. You may want to rename the report file to something such as AVGAS_scan01.txt that will make it easier to recognize.

Close the program.
Step 8. Reboot back into normal mode

If you used the F8 method, Windows should automatically reboot into normal mode when you restart it. If you used Bootsafe, open the program and select the Normal Mode radio button, then click Reboot.


Step 9. HijackThis scan, and get back to me

Run a fresh HJT scan. Post the HJT log, the Virustotal results, the FixWareout report and the AVG-AS report to a reply here. Also, please let me know how your system is running. If you run into any trouble performing these steps, please post back right away and I will help you work around the problem.

Good luck!

Dave

Edited by DaveM59, 31 October 2006 - 08:40 AM.


#4 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 12:21 PM

Well there are some problems, the .exe dmcth cannot be found, and i cant run Fixwareout cause the virus disabled it from the administrative. what to do?

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:43 AM

Posted 31 October 2006 - 12:51 PM

Hi,

cant run Fixwareout cause the virus disabled it from the administrative.


Can you post the exact error message you get while running Fixwareout? Also, at what point in the process does the error message pop up?

Dave

#6 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 01:06 PM

Oh and C:\WINDOWS\system32\461ef1a.exe
C:\WINDOWS\system32\dmcth.exe
are missing.

Hi,

cant run Fixwareout cause the virus disabled it from the administrative.


Can you post the exact error message you get while running Fixwareout? Also, at what point in the process does the error message pop up?

Dave

I just ran it in Safe mode and it worked...
And it would pop up in cmd and say it has been dissabled by admin.
but its run through Safemode. will post the results in a second

#7 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 01:16 PM

Alright here they are


HJT:
Logfile of HijackThis v1.99.1
Scan saved at 1:11:10 PM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


FIXWAREOUT:

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\zmkmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\2trap
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmkmz.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...
* csr.exe C:\WINDOWS\System32\CSQZH.EXE


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSQZH.EXE 51,260 2006-08-22
C:\WINDOWS\SYSTEM32\DMBJR.EXE 62,052 2004-08-04
C:\WINDOWS\SYSTEM32\DMKMZ.EXE 62,052 2004-08-04

Other suspects.
Directory of C:\WINDOWS\system32

Misc files.

Checking for older varients covered by the Rem3 tool.



And last but not least
AVG
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:10:25 PM 10/31/2006

+ Scan result:



C:\WINDOWS\system32\rk.bin -> Adware.RK : No action taken.
C:\RECYCLER\S-1-5-21-746137067-1682526488-725345543-500\Dc6.exe -> Backdoor.Ciadoor.13 : No action taken.
C:\WINDOWS\system32\wsock32.sys -> Backdoor.Ciadoor.13 : No action taken.
C:\WINDOWS\system32\y4uw345BEL.ini -> Backdoor.Ciadoor.13 : No action taken.
C:\Documents and Settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator.DASROOM\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.156:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.19:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.20:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.93:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.94:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.68:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.69:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.70:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.71:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.72:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.73:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.32:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.50:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.51:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.59:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.60:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.61:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.62:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.63:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.64:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.65:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.66:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.18:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Clickhype : No action taken.
:mozilla.22:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Clickhype : No action taken.
C:\Documents and Settings\Administrator.DASROOM\Cookies\administrator@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : No action taken.
:mozilla.28:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Administrator.DASROOM\Cookies\administrator@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
:mozilla.136:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.15:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.52:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.53:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.54:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.55:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.56:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.81:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.82:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.83:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.84:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.85:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.86:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.100:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.13:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.14:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.98:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.99:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : No action taken.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : No action taken.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : No action taken.
C:\WINDOWS\system32\dmbjr.exe -> Trojan.Small.fb : No action taken.
C:\WINDOWS\system32\dmkmz.exe -> Trojan.Small.fb : No action taken.


::Report end

#8 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 01:44 PM

I booted up the PC now, and i get an error that says


"Windows cannot find C:\WINDOWS\system32\scvhost.exe. Make sure you typed the name correctly and then try again. To search for a file, click the Start button, and then click the Search button"

and then it gives me 4 other error messages saying the same thing.


Task manager is still disabled.

Edited by AeStuDd, 31 October 2006 - 01:46 PM.


#9 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 02:01 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:58:12 PM 10/31/2006

+ Scan result:



:mozilla.59:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.60:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.72:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.75:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.76:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.22:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.24:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.25:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.58:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Clickhype : No action taken.
:mozilla.62:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Clickhype : No action taken.
:mozilla.68:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.55:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.77:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.78:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.79:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.80:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.81:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.53:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.54:C:\Documents and Settings\Administrator.DASROOM\Application Data\Mozilla\Firefox\Profiles\3qqrewi8.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
HKU\S-1-5-21-746137067-1682526488-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : No action taken.
HKU\S-1-5-21-746137067-1682526488-725345543-1005\Software\Classes\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7} -> Trojan.Small : No action taken.
HKU\S-1-5-21-746137067-1682526488-725345543-1005_Classes\CLSID\{336ec37f-54bf-4f13-8237-03f64fa591e7} -> Trojan.Small : No action taken.


::Report end




I did another one on my true acount not administrative and got this

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:43 AM

Posted 31 October 2006 - 02:20 PM

Thanks for the reports, I'll have to analyze them. (At work now, no time, sorry.) However a few quick questions that may give me some more clues:

Did you run the Hijackthis fix?

Did you make sure that AVG Antispyware was set to quarantine and then click Apply All Actions _before_ you saved the report?

Once you get the scvhost.exe messages, does XP boot up normally?

Did you unhide files and folders before looking for those files on the delete list? and did you manage to delete scvhost.exe?

I may not get back to you until tomorrow morning, as I said I'm at work and my coach will have to look at this information as well. Please answer these questions and if you have noticed anything else that might be relevant mention that as well.

Dave

#11 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 31 October 2006 - 02:31 PM

Yes i ran HJT fix,
Yes i made sure it was set to quarantine, and that i applied actions
Yes after all the messages, 6 i believe, it starts up normally
Yes i unhid files, and manages to find and delete Scvhost.exe, and cleared recycling bin

And thanks so far for helpin me out, i dont know if you get payed or if this is volentary, but you need a pay raise :thumbsup:




Just get back to me when ever you can :flowers:

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:06:43 AM

Posted 01 November 2006 - 01:05 PM

Hi again,

More questions before we start.

When you tried to run Fixwareout in normal mode, was this the error message you
reveived?

The command prompt has been disabled by your administrator


If it was then I'm wondering how you ran Fixwareout. When you ran the program,
were you in Safe Mode with Network support? And were you logged onto the
Administrator account? By all appearances this must be the case, and if my
guesses are right, congratulations on your cleverness in defeating the defenses
of this evil program!

Let's take care of your "Policy problems" first, this should restore your Task
manager and command line.

Open Notepad, and copy and paste the text in the quote box into it.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
"DisableCMD"=-


Press <Enter> to add a blank line, then click Save As. Save the file in
C:\Windows\System32, name it policies.reg and set Save As
type
to All Files. Then click Save.

Next, download Bobbi Flekman's SWReg.exe tool from this page:

http://www.xs4all.nl/~fstaal01/swreg-us.html

Save that file also in the C:\Windows\System32 folder.

Now click Start, Run, then copy and paste the following into the text box
next to Open:

swreg import policies.reg


You should see a black command window flash open and then close immediately. If it stays open, with an error message, please note and report it.

Another question:

Is there any chance you missed this line

O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe

when you did the HijackThis fix? If not we may have to do some more registry
editing to get rid of it. However, let's try the easy way first.

Open HijackThis and run a scan. Place a check next to the following lines:R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [Generic Host Process] C:\WINDOWS\system32\scvhost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)

Now make sure all other windows on the desktop are closed, and no programs are
shown in your taskbar. Then click Fix Checked. Close HijackThis.

Reboot into Safe Mode.

Navigate to and delete the following files, if found:C:\WINDOWS\system32\dmbjr.exe
C:\WINDOWS\system32\dmkmz.exe
C:\WINDOWS\system32\rk.bin
C:\WINDOWS\system32\wsock32.sys
C:\WINDOWS\system32\y4uw345BEL.ini
C:\WINDOWS\system32\461ef1a.exe
C:\WINDOWS\system32\dmcth.exe

Note any you cannot find or cannot delete.

Reboot into normal mode.

Submit the following file for analysis at Virustotal. Follow the instructions I
gave in Step 3, above.

C:\WINDOWS\SYSTEM32\CSQZH.EXE

If the file comes up as malware (and I think it will), delete it.

Finally, let's run AVG Antispyware again, this time in Normal Mode. First update the program, then run a
full system scan. As before, when the scan is finished, make sure everything is
set to Quarantine, then Apply all actions. Then save the report.

Finally, run another HijackThis scan.

Post the HJT log, and the AVG-AS report to a reply here. Also please let me
know if you were unable to complete any steps, and how the computer is running
now.


Just to answer your question, we're all volunteers here.

Dave

#13 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 01 November 2006 - 09:15 PM

I couldnt find in HJT
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\RunServices: [Generic Host Process]





Was not able to locate any of these...
-C:\WINDOWS\system32\dmbjr.exe
-C:\WINDOWS\system32\dmkmz.exe
-C:\WINDOWS\system32\rk.bin
-C:\WINDOWS\system32\wsock32.sys
-C:\WINDOWS\system32\y4uw345BEL.ini
-C:\WINDOWS\system32\461ef1a.exe
-C:\WINDOWS\system32\dmcth.exe

#14 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 01 November 2006 - 09:28 PM

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Should i remove this aswell?

#15 AeStuDd

AeStuDd
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 01 November 2006 - 09:31 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:28:17 PM 11/1/2006

+ Scan result:



:mozilla.34:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.35:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.36:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.37:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.38:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.39:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.40:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.41:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.42:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.43:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.44:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.45:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.77:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.119:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.120:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.121:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.50:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.51:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.108:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.109:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.110:C:\Documents and Settings\Das\Application Data\Mozilla\Firefox\Profiles\x71363a3.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end



Logfile of HijackThis v1.99.1
Scan saved at 9:28:31 PM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\C:\WINDOWS\system32\svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users